Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 1 subscriber
  • Views 10858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent HTTPS scanning proxy profile for one client

trialrider
Hi all,

ASG in routing mode works fine. Sometimes one application has problems with getting information from it's external server through our transparent proxy. A single proxy profile using standard mode and setting up the application helped.

Now I want to try HTTPS traffic scanning. So at first I thought creating a profile for my client linked to the default action, default assignment and with HTTPS traffic scanning enabled will work.

It works without HTTPS traffic scanning. Log file shows my client goes through the defined profile but HTTPS goes through our paket filter rule.

At the second I created filter action and filter assignment completely new but HTTPS goes through pfr too.

Is there a possibility to get HTTPS traffic scanning with a transparent proxy profile enabled?

Deactivating HTTPS pfr and enabling in web proxy is no option.
-- 
Kind regards,

Steffen


This thread was automatically locked due to age.
Parents
  • 0
    I can't read the log entries.  Can you just post those in clear text and change your IPs?  Also, do you confirm that hst_admin_1 is the subnet 10.x.25.0/24?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    here you can read the PF LL entries:

    [PHP]
    2010:04:07-08:57:29 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1740" time="910 ms" request="0xaf98c448" url="evintl-ocsp.verisign.com/.../ocsp-response"
    2010:04:07-08:57:30 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1482" time="644 ms" request="0xb16cb5d0" url="evsecure-ocsp.verisign.com/.../ocsp-response"
    2010:04:07-08:57:31 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1480" time="247 ms" request="0xb14befa0" url="ocsp.thawte.com/.../ocsp-response"
    2010:04:07-08:57:31 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1480" time="381 ms" request="0xb14befa0" url="ocsp.thawte.com/.../ocsp-response" 
    [/PHP]

    The HTTPS traffic goes through our PFR. I think HTTPS traffic scanning couldn't work because it's not enabled in global settings. But I can't change it for all now - in our LAN. Admin client's IP belongs to our LAN, it's mine.

    On my testing ASL I've HTTPS traffic scanning enabled from first configuration. But there are only two clients, used by me not producing side effects.
    -- 
    Kind regards, Steffen
Reply
  • 0 in reply to BAlfson
    Hi Bob,

    here you can read the PF LL entries:

    [PHP]
    2010:04:07-08:57:29 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1740" time="910 ms" request="0xaf98c448" url="evintl-ocsp.verisign.com/.../ocsp-response"
    2010:04:07-08:57:30 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1482" time="644 ms" request="0xb16cb5d0" url="evsecure-ocsp.verisign.com/.../ocsp-response"
    2010:04:07-08:57:31 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1480" time="247 ms" request="0xb14befa0" url="ocsp.thawte.com/.../ocsp-response"
    2010:04:07-08:57:31 astaro httpproxy[4096]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="***" user="" statuscode="200" cached="0" profile="REF_NTZkryZuSH (HTTPS-Test)" filteraction="REF_fRSTWCecVE (HTTPS-Test)" size="1480" time="381 ms" request="0xb14befa0" url="ocsp.thawte.com/.../ocsp-response" 
    [/PHP]

    The HTTPS traffic goes through our PFR. I think HTTPS traffic scanning couldn't work because it's not enabled in global settings. But I can't change it for all now - in our LAN. Admin client's IP belongs to our LAN, it's mine.

    On my testing ASL I've HTTPS traffic scanning enabled from first configuration. But there are only two clients, used by me not producing side effects.
    -- 
    Kind regards, Steffen
Children
No Data